You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The access API endpoint returns for each user the abilities, means the current user actions available for the targeted user. The front application does not respect these abilities and implements its own business logic leading to an inconsistent behavior between the front and the back application. This can be consider as a security risk as it is possible to change the roles bypassing the front application and using directly the API.
Expected behavior/code
The front application should build the roles select box and delete button based on the abilities present in the response of the access endpoint
Steps to Reproduce
Create a new document
Invite someone as an owner
Try to downgrade the role to administrator, the select box warn you is it not possible
Inspect the response of the access endpoint, in the abilities.set_to_role you have all the roles this user can be changed to.
Environment
Impress version: v3.1.0
Possible Solution
Use the abilities return by the API.
The text was updated successfully, but these errors were encountered:
Bug Report
Problematic behavior
The access API endpoint returns for each user the abilities, means the current user actions available for the targeted user. The front application does not respect these abilities and implements its own business logic leading to an inconsistent behavior between the front and the back application. This can be consider as a security risk as it is possible to change the roles bypassing the front application and using directly the API.
Expected behavior/code
The front application should build the roles select box and delete button based on the abilities present in the response of the access endpoint
Steps to Reproduce
abilities.set_to_roleyou have all the roles this user can be changed to.Environment
Possible Solution
Use the abilities return by the API.
The text was updated successfully, but these errors were encountered: